Hi Marvin, Thank you very much for your response. I read through the document and as it says that if I have a Acitve/Standby ASA setup, I can just the single license I Have into the Active ASA and the VPN works even during a failover situation? Please do let me know.. and thanks in advance..
... View more

Dear Team, We have two Cisco ASAs connected in ACTIVE-STANDBY setup. I wanted to configure ANYCONNECT VPN and purchased an ANYCONNECT license from Cisco through our partner company. When i tried registering the license and sharing it with the other ASA on the Cisco website, i wasn't able to do it. I logged a ticket with Cisco licensing team and they told me that i need to purchase a PLUS or APEX license. So, I request your suggestions with this case... as every other person is giving me different answers. this is the license i have currently. L-AC-VPNO-25= Cisco AnyConnect VPN Only, 25 Simultaneous (eDelivery) Thank you.
... View more

Yes, I do have a self-signed Certificate on my ASA. We use L2TP/Ipsec protocol for the remote VPN. So, would it still be using 443 in the background.
I am sorry for so many questions. am not so good with the certificate concepts.
thank you very much.
... View more

Dear All,
We use a third-party tool for vulnerability tests on our internet facing devices and for my Cisco ASA5508, i got this below error.
SSL Certificate Cannot Be Trusted 443 / tcp / cisco-ssl-vpn-svr .
I am not hosting any gateway service from this ASA, no SSL VPN or Anyconnect service.
I do not want to purchase a third-party certificate to make this error go away.
I do have IPSec tunnels running from here and remoteVPN service (not using anyconnect).
So, i did some research and understood that i need to disable https/SSL/443 services on the ASA to make this error go away. But, i would like to know if there would be any impact for my other services. and also i would like to know if i can accomplish this through some ACL on my outside interface.
CC-ASA5508-1# sh run http http server enable http CCNET 255.255.0.0 INTERNAL http 10.0.0.0 255.0.0.0 INTERNAL CC-ASA5508-1# sh asp table socket
Protocol Socket State Local Address Foreign Address TCP 02016d48 LISTEN 10.207.4.2:22 0.0.0.0:* SSL 0201f978 LISTEN 10.207.4.2:443 0.0.0.0:* SSL 02025678 LISTEN 20C.CCC.CCC.CCC:443 0.0.0.0:* DTLS 00037b28 LISTEN 20C.CCC.CCC.CCC:443 0.0.0.0:* TCP c1a01998 ESTAB 10.207.4.2:22 172.16.32.77:59549 CC-ASA5508-1#
Thank you very much in advance.
... View more

So, here is the requirment exactly.
We have our own AS number with Century link ISP. We are running BGP with the ISP Peer. ( this is on the ISR).
So, now am planning to migrate the Internet link to ISR. So, both MPLS and INTERNET are on the same router.
Once, this migration happens, i need to build a S2S tunnel towards the different BGP Peer or some ISP IP which they will provide me and make the MPLS as primary and the S2S as secondary link. So, i was thinking of using IPSLA between the MPLS and S2S VPN.
Thats my thought. i never implemented it or tried it. So, am super confused on how to do all these.
Hope you can help me with suggestions.
... View more

Hi Friends
My name is Deepthi and i work as a network admin. I am sorry if am troubling you with my message. I am working on MPLS, VPN and IPSLA.
I am new to the MPLS setups and everything and so this is getting super confused for me. Please do not mind my long mail.
I am currently working on 2 projects.
1. Building a S2S vpn tunnel towards a AWS cloud network.
2. Building a S2S vpn as a back up when my BGP peer dies. ( planning to use IPSLA)
So, here, i had to build a S2S tunnel from the fortigate towards the AWS cloud and then do the IPSLA from the ISR. So, it was hard and so, i decided to move my internet termination link to the ISR.
So, once moved, i need to build both the S2S tunnel (1. Towards AWS cloud, 2. Towards different IP when BGP peer is down).
So, My setup is like this..
Current setup:
core Switch --> Fortigate --> Internet cloud
<< Need a S2S tunnel here for AWS>>
Core Switch --> Fortigate ---> MPLS Router --> MPLS Cloud.
<< Need a S2S tunnel here for monitoring the BGP peer and using the back up link >>
Proposed setup:
Core Switch --> Fortigate --> MPLS Router ---> Internet & MPLS termination
<< Need 2 S2S tunnels built >> So, do i need to build them both from MPLS router or can i build one from Fortigate also.
I would like you to suggest how i should do these. Please let me know if there is any document i need to refer or any suggestion would do me a great help.
Thanks a lot. And am really sorry for troubling you.
... View more

Hi Reza,
I have the complicated situation. :)
My ISR does not have an internet gateway.
LAN -> Core Switch -> Fortigate -> ISR(MPLS -> MPLS cloud
So, this is the path. the internet gateway is available on the fortigate. So, right now, i am pointing all my MPLS traffic towards the ISR from the fortigate.
Thank you.
... View more

Hi Whitlow,
Thank you very much for the response.
At 4 of the locations, we are using Static routes to advertise our network and at one location we have OSPF redistributing the routes. So, this is what i have in mind... we have internet gateways on all the locations, and so i was thinking of building a s2s tunnel from my fortigate firewall to a different PE router of the MPLS ISP and monitor the MPLS primary connection using IPSLA. So, this is just a thought.. but am not sure how far it is correct. Please do correct me if am wrong.
Thank you.
Deepthi
... View more